Chromium Code Reviews Chromium Code Reviews
Issue 4568002:
Remember if a user declines to provide a server with a client certificate (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_network_transaction.h" | 5 #include "net/http/http_network_transaction.h" |
| 6 | 6 |
| 7 #include <set> | 7 #include <set> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "base/compiler_specific.h" | 10 #include "base/compiler_specific.h" |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 89 request_(NULL), | 89 request_(NULL), |
| 90 headers_valid_(false), | 90 headers_valid_(false), |
| 91 logged_response_time_(false), | 91 logged_response_time_(false), |
| 92 request_headers_(), | 92 request_headers_(), |
| 93 read_buf_len_(0), | 93 read_buf_len_(0), |
| 94 next_state_(STATE_NONE), | 94 next_state_(STATE_NONE), |
| 95 establishing_tunnel_(false) { | 95 establishing_tunnel_(false) { |
| 96 session->ssl_config_service()->GetSSLConfig(&ssl_config_); | 96 session->ssl_config_service()->GetSSLConfig(&ssl_config_); |
| 97 if (session->http_stream_factory()->next_protos()) | 97 if (session->http_stream_factory()->next_protos()) |
| 98 ssl_config_.next_protos = *session->http_stream_factory()->next_protos(); | 98 ssl_config_.next_protos = *session->http_stream_factory()->next_protos(); |
| 99 | |
| 100 } | 99 } |
| 101 | 100 |
| 102 HttpNetworkTransaction::~HttpNetworkTransaction() { | 101 HttpNetworkTransaction::~HttpNetworkTransaction() { |
| 103 if (stream_.get()) { | 102 if (stream_.get()) { |
| 104 HttpResponseHeaders* headers = GetResponseHeaders(); | 103 HttpResponseHeaders* headers = GetResponseHeaders(); |
| 105 // TODO(mbelshe): The stream_ should be able to compute whether or not the | 104 // TODO(mbelshe): The stream_ should be able to compute whether or not the |
| 106 // stream should be kept alive. No reason to compute here | 105 // stream should be kept alive. No reason to compute here |
| 107 // and pass it in. | 106 // and pass it in. |
| 108 bool try_to_keep_alive = | 107 bool try_to_keep_alive = |
| 109 next_state_ == STATE_NONE && | 108 next_state_ == STATE_NONE && |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 164 int HttpNetworkTransaction::RestartWithCertificate( | 163 int HttpNetworkTransaction::RestartWithCertificate( |
| 165 X509Certificate* client_cert, | 164 X509Certificate* client_cert, |
| 166 CompletionCallback* callback) { | 165 CompletionCallback* callback) { |
| 167 // In HandleCertificateRequest(), we always tear down existing stream | 166 // In HandleCertificateRequest(), we always tear down existing stream |
| 168 // requests to force a new connection. So we shouldn't have one here. | 167 // requests to force a new connection. So we shouldn't have one here. |
| 169 DCHECK(!stream_request_.get()); | 168 DCHECK(!stream_request_.get()); |
| 170 DCHECK(!stream_.get()); | 169 DCHECK(!stream_.get()); |
| 171 DCHECK_EQ(STATE_NONE, next_state_); | 170 DCHECK_EQ(STATE_NONE, next_state_); |
| 172 | 171 |
| 173 ssl_config_.client_cert = client_cert; | 172 ssl_config_.client_cert = client_cert; |
| 174 if (client_cert) { | 173 session_->ssl_client_auth_cache()->Add(GetHostAndPort(request_->url), |
| 175 session_->ssl_client_auth_cache()->Add(GetHostAndPort(request_->url), | 174 client_cert); |
| 176 client_cert); | |
| 177 } | |
| 178 ssl_config_.send_client_cert = true; | 175 ssl_config_.send_client_cert = true; |
| 179 // Reset the other member variables. | 176 // Reset the other member variables. |
| 180 // Note: this is necessary only with SSL renegotiation. | 177 // Note: this is necessary only with SSL renegotiation. |
| 181 ResetStateForRestart(); | 178 ResetStateForRestart(); |
| 182 next_state_ = STATE_CREATE_STREAM; | 179 next_state_ = STATE_CREATE_STREAM; |
| 183 int rv = DoLoop(OK); | 180 int rv = DoLoop(OK); |
| 184 if (rv == ERR_IO_PENDING) | 181 if (rv == ERR_IO_PENDING) |
| 185 user_callback_ = callback; | 182 user_callback_ = callback; |
| 186 return rv; | 183 return rv; |
| 187 } | 184 } |
| (...skipping 782 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 970 // renegotiation. | 967 // renegotiation. |
| 971 DCHECK(!stream_request_.get()); | 968 DCHECK(!stream_request_.get()); |
| 972 stream_->Close(true); | 969 stream_->Close(true); |
| 973 stream_.reset(); | 970 stream_.reset(); |
| 974 } | 971 } |
| 975 | 972 |
| 976 // The server is asking for a client certificate during the initial | 973 // The server is asking for a client certificate during the initial |
| 977 // handshake. | 974 // handshake. |
| 978 stream_request_.reset(); | 975 stream_request_.reset(); |
| 979 | 976 |
| 980 // If the user selected one of the certificate in client_certs for this | 977 // If the user selected one of the certificate in client_certs for this |
|
agl
2010/11/09 17:04:06
I think this comment has some grammar issues. (Not
wtc
2010/11/18 01:33:07
Please fix my grammatical errors. I guess we shou
| |
| 981 // server before, use it automatically. | 978 // server before, or previously declined to provide one, use it |
| 982 X509Certificate* client_cert = session_->ssl_client_auth_cache()-> | 979 // automatically. |
| 983 Lookup(GetHostAndPort(request_->url)); | 980 X509Certificate* client_cert = NULL; |
| 981 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( | |
| 982 GetHostAndPort(request_->url), &client_cert); | |
| 983 if (!found_cached_cert) | |
| 984 return error; | |
| 985 | |
| 986 // If the user previously selected a specific certificate, as opposed to | |
|
wtc
2010/11/18 01:33:07
Nit: remove
If the user previously selected a sp
| |
| 987 // declining to provide one, check that the certificate selected is still a | |
| 988 // certificate the server is likely to accept, based on the criteria it | |
| 989 // supplied in the CertificateRequest message. | |
| 984 if (client_cert) { | 990 if (client_cert) { |
| 985 const std::vector<scoped_refptr<X509Certificate> >& client_certs = | 991 const std::vector<scoped_refptr<X509Certificate> >& client_certs = |
| 986 response_.cert_request_info->client_certs; | 992 response_.cert_request_info->client_certs; |
| 993 bool cert_still_valid = false; | |
| 987 for (size_t i = 0; i < client_certs.size(); ++i) { | 994 for (size_t i = 0; i < client_certs.size(); ++i) { |
| 988 if (client_cert->fingerprint().Equals(client_certs[i]->fingerprint())) { | 995 if (X509Certificate::IsSameOSCert(client_cert->os_cert_handle(), |
|
wtc
2010/11/18 01:33:07
Use the new X509Certificate::Equals method:
if (
| |
| 989 // TODO(davidben): Add a unit test which covers this path; we need to be | 996 client_certs[i]->os_cert_handle())) { |
| 990 // able to send a legitimate certificate and also bypass/clear the | 997 cert_still_valid = true; |
| 991 // SSL session cache. | 998 break; |
| 992 ssl_config_.client_cert = client_cert; | |
| 993 ssl_config_.send_client_cert = true; | |
| 994 next_state_ = STATE_CREATE_STREAM; | |
| 995 // Reset the other member variables. | |
| 996 // Note: this is necessary only with SSL renegotiation. | |
| 997 ResetStateForRestart(); | |
| 998 return OK; | |
| 999 } | 999 } |
| 1000 } | 1000 } |
| 1001 | |
| 1002 if (!cert_still_valid) | |
| 1003 return error; | |
| 1001 } | 1004 } |
| 1002 return error; | 1005 |
| 1006 // TODO(davidben): Add a unit test which covers this path; we need to be | |
| 1007 // able to send a legitimate certificate and also bypass/clear the | |
| 1008 // SSL session cache. | |
| 1009 ssl_config_.client_cert = client_cert; | |
| 1010 ssl_config_.send_client_cert = true; | |
| 1011 next_state_ = STATE_CREATE_STREAM; | |
| 1012 // Reset the other member variables. | |
| 1013 // Note: this is necessary only with SSL renegotiation. | |
| 1014 ResetStateForRestart(); | |
| 1015 return OK; | |
| 1003 } | 1016 } |
| 1004 | 1017 |
| 1005 // This method determines whether it is safe to resend the request after an | 1018 // This method determines whether it is safe to resend the request after an |
| 1006 // IO error. It can only be called in response to request header or body | 1019 // IO error. It can only be called in response to request header or body |
| 1007 // write errors or response header read errors. It should not be used in | 1020 // write errors or response header read errors. It should not be used in |
| 1008 // other cases, such as a Connect error. | 1021 // other cases, such as a Connect error. |
| 1009 int HttpNetworkTransaction::HandleIOError(int error) { | 1022 int HttpNetworkTransaction::HandleIOError(int error) { |
| 1010 switch (error) { | 1023 switch (error) { |
| 1011 // If we try to reuse a connection that the server is in the process of | 1024 // If we try to reuse a connection that the server is in the process of |
| 1012 // closing, we may end up successfully writing out our request (or a | 1025 // closing, we may end up successfully writing out our request (or a |
| (...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1171 default: | 1184 default: |
| 1172 return priority; | 1185 return priority; |
| 1173 } | 1186 } |
| 1174 } | 1187 } |
| 1175 | 1188 |
| 1176 | 1189 |
| 1177 | 1190 |
| 1178 #undef STATE_CASE | 1191 #undef STATE_CASE |
| 1179 | 1192 |
| 1180 } // namespace net | 1193 } // namespace net |
| OLD | NEW |
